Zero Trust security is an IT security approach that involves tight identity verification for everyone wanting to access resources on a private network, whether they are inside or outside the network perimeter. Although ZTNA is the most commonly linked technology with Zero Trust architecture, Zero Trust is a comprehensive approach to network security that includes different principles and technologies.
Traditional IT network security trusts anyone and anything inside the network. A Zero Trust architecture trusts no one and nothing.
Traditional IT network security is based on the castle-and-moat concept. In castle-and-moat security, it is hard to obtain access from outside the network, but everyone inside the network is trusted by default. The problem with this approach is that once an attacker gains access to the network, they have complete control over everything inside.
Zero Trust security indicates that no one can be trusted by default, whether inside or outside the network, and that anyone attempting to get access to network resources must first verify their identity.
What are the main principles behind Zero Trust security?
Core principles of Zero Trust security are – Never trust & always verify, Implement least privilege and assume breach.
Continuous monitoring and validation
A Zero Trust network is built on the assumption that there are attackers both inside and outside the network, so no users or machines should be automatically trusted. Verify user identity and privileges as well as device identity and security. Logins and connections time out periodically once established, forcing users and devices to be continuously re-verified.
This means giving users only as much access as they need minimizing each user’s exposure to sensitive parts of the network.
Device access control
Zero Trust systems need to monitor how many different devices are trying to access their network, ensure that every device is authorized and make sure they have not been compromised. Impose strict controls on device access.
Microsegmentation is the practice of breaking up security perimeters into small zones to maintain separate access for separate parts of the network. For example, a data centre that utilizes microsegmentation may contain dozens of separate, secure zones and person or program with access to one of those zones will not be able to access any of the other zones without separate authorization.
Multi-factor authentication (MFA)
Multi-factor authentication (MFA) is a core principle of Zero Trust security. MFA means requiring more than one evidence to authenticate a user. For example, in addition to entering a password, users who enable 2FA for these services must also enter a code sent to another device, such as a mobile phone, thus providing two pieces of evidence that they are who they claim to be. There are different effective mechanisms available for providing MFA.
Read my other articles as part of Zero Trust series –
What is the castle-and-moat network model?